I have an ASA 5520 that is configured for remote access VPN and clients connect using IPSec or anyconnect SSL.
Most of the clients use non-split tunneling policy and the web traffic goes through the ASA. Our URL filtering server is on the inside network. I tried configuring URL filtering but did not work since the vpn clients get terminated on the outside (lower security interface) and the web traffic flows from outside to inside (higher security) and URL filtering will work only when the http traffic goes from higher security to lower security.
How can I enable URL filtering for remote access users?
I don't think url filter is restricted for inside users to outside, can you check if the u-turn, hairpin is enable and working fine? if so, can you please post your url config here? are you including the vpn clients pool for url inspection? Can you post your config?
The topology is that the ASA is sending it to another deafult gateway.
The ASA's outside interface is facing the internet and the inside is connected to the DMZ interface of our perimeter firewall.
The tunnel default gateway is our perimeter firewall. So, the web traffic comes from outside and goes to inside and goes to the DMZ interface of our perimeter firewall and out through the outside interface of the perimeter firewall.
I should be able to hairpin the web traffic on the outside of the ASA. DO you think this will force the URL filtering?
Well since this traffic is at the end sent to this permiter firewall you might want to think about filtering url in that one (unless you want to modify the whole traffic flow) I think that hairpinning will allow you to do url filter on the asa itself since it somehow covers the "outbound" url filter rule.
I do not want to modify the whole traffic flow. I looked into doing the URL filtering on the perimeter firewall but it did not work out due to some licensing issues or some other reasons that are beyond me.
I still want to be able to use the perimeter firewall as the tunnel gateway but for port 80 non-internal traffic, I just want to hair-pin the traffic. I think I should be able to do this with some ACL and route statements.
Unfortunately, if you define a tunnel default gateway, all traffic including http traffic will be sent to that firewall, you would need to remove the tunnel default gateway to achieve the hairpin feature.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...